Spam - any tips?

We seem to be under a spam attack with a malicious html attachment. I've blocked html, htm etc as a last resort.

The emails have gone straight through our UTM spam filter and are coming from outbound.protection.outlook.com with numerous IP's etc

Anybody got any tips on how to block?

  • Most span use "open" mail server to send email.

    I assume the use of outlook.com is not with a domain that is registered in the same location in 365. (each domain has its own cname)

    Try to add "strict dns" check in the smtp policy.

    This will reduce the spam and also will avoid mail sent from organizations that did not config their mail server properly.

  • In reply to Hayim Caspy:

    The rDNS is xxx.outbound.protection.outlook.com where xxx is the client name.

    Strick DNS is already enabled and it went straight through that. It's coming from multiple M$ mail servers!

  • Any chance to block these mails by Extra-RBL? Tell abuse@outlook.com what’s going on, maybe they care about.

    Best regards

    Alex

  • In reply to Alexander Busch:

    The UTM is now blocking and registering them as Malware/Phish.

    Still hitting us every 10 minutes or so constantly and all coming from Microsofts servers.

    You would think that they would know what's going on by scanning outgoing content....

  • In reply to Louis-M:

    Louis sent me the headers of one of these emails.  There's nothing there to find as the emails are coming from valid Outlook accounts.  My guess would be infected user workstations as opposed to phished credentials.

    In this case, the best thing would be to submit a report to abuse@microsoft.com for any such email.

    Cheers - Bob

  • In reply to BAlfson:

    They are starting to turn up on blacklists but it makes you wonder what Microsoft are doing ie do they stop mail being sent through the offending IP altogether.

    Is that IP ever recycled eg used to send email from again.

    On top of that, you would still think Microsoft would scan mail outgoing??

  • In reply to Louis-M:

    I'd be surprised if the IPs would be on an RBL, Louis.  What was the reason that the SMTP log gave for blocking one of those emails?

    Cheers - Bob

  • In reply to BAlfson:

    I checked the IP via mxtoolbox and some of them eventually went onto blacklists although not all did.

    Others were eventually detected as Malware/Phish

    And some got through and continue to get through.